DeFi exploits YTD

Crypto analyst Cipher’s tally shows at least 15 distinct DeFi security incidents since January 2026, a count tracked and reported across crypto news outlets. (kucoin.com) The three single largest losses flagged in coverage are Step Finance (~$27.3M drained from treasury wallets), Truebit (~$26M stolen via a smart‑contract overflow), and Resolv (an exploit that resulted in tens of millions moved or minted). (coindesk.com) (certik.com) (theblock.co) The Resolv incident specifically involved the unauthorized minting of roughly 80 million USR tokens on‑chain while investigators estimate the attacker extracted about $25 million in value, and protocol operators paused contracts and burned portions of the illicit supply. (theblock.co) Across the reported early‑2026 incidents, public tracking shows only about $9 million has been clawed back or otherwise recovered so far, leaving the great majority of drained funds unrecovered on‑chain. (coinedition.com) Security post‑mortems and firm analyses point to a narrow set of recurring vectors this quarter—compromised private keys and treasury signing infrastructure for Step Finance, an integer‑overflow/minting bug for Truebit, and broken mint logic for Resolv—rather than a single novel exploit class. (halborn.com) (certik.com) (ambcrypto.com) Insurers and underwriters say a persistent data deficit and thin historical loss tables are constraining capacity for smart‑contract coverage, while surveys of institutional allocators show counterparty and operational risk have become the top crypto concerns prompting increased real‑time auditing and larger compliance budgets. (insurancebusinessmag.com) (sqmagazine.co.uk) Industry security research also reports material market consequences: a recent analysis found tokens hit by hacks on average fall roughly 61% over six months and frequently fail to regain pre‑hack levels, amplifying losses for holders and counterparties. (cointelegraph.com)